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Note to markers 


Markers are expected to use their experience and judgement as professional 
auditors, bound by the CQI and IRCA code of conduct. 


Markers must give due consideration to logically argued solutions that might not 
conform precisely to the typical solution and other answers may be acceptable. This 
is especially relevant when marking sections three and four. 


Marker One, and Marker Two where applicable, shall annotate learners’ examination 
papers clearly to show where each mark is given and shall record their justification 
for awarding marks outside of the typical solution. Markers should use the margins 
provided for this, ensuring that marks and justifications given by each marker are 
clearly discernible for review by the CQI and IRCA Training Assessor. 
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Section one — Five questions worth two marks each — maximum 10 marks 


Statements in italics are for reference only and are not part of the expected answer. 


1.1 


1.2 


1.3 


Identify two ways in which an auditor can verify that agreed corrective actions have been 
effectively implemented. 

(2 marks) 
Typical solution 


e Acceptance of a written response. 
e Evaluation of submitted evidence. 


e Verification of corrective action at the audit location. 


Note to marker: Award 1 mark each for any TWO of the above up to a maximum of 2 marks. 


List four typical resource requirements you would expect to consider when selecting Business 
Continuity strategies and solutions. 

(2 marks) 
Typical solution 


e People 

e Information & data 

e Physical infrastructure 

e Equipment and consumables 

e Information and communication technology systems 
e Transportation and logistics 

e Finance 


e Partners and suppliers 


Note to marker: Award 0.5 mark each for any FOUR of the above up to a maximum of 2 marks. 


List four aspects each Business Continuity Plan must include. 
(2 marks) 
Typical Solution 


e Purpose and scope 
e Objectives 
e Actions to implement the solutions 


e Supporting information needed to activate, operate, coordinate and communicate the team’s 
actions 


e A process for standing down 
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Roles, responsibilities and authorities of the team that will implement the plan 


Resource requirements 


The reporting requirements 


Internal and external interdependencies 


Note to marker: Award 0.5 mark each for any four of the above up to a maximum of 2 marks. 


1.4 Identify two sources of dependency which may be highlighted during the Business Impact 


Analysis process. 


Typical Solution 


Supplier 

Outsource Partner 
Single Point of Failure 
Key process(es) 
Critical equipment 
Corporate Sponsor 


Regulator(s) 


(2 marks) 


Note to marker: Award 1 mark each for any TWO of the above up to a maximum of 2 marks overall. 


1.5 List two BCM requirements persons working under the control of the organisation must be aware 


of. 


Typical Solution 


Policy 


(2 marks) 


How they contribute to the effectiveness of the BCMS 


Implications of not conforming to the BCMS requirements 


Their own role & responsibilities before, during and after disruptions 


Note to marker: Award 1 mark each for any TWO of the above up to a maximum of 2 marks overall. 


CQI and IRCA Solutions to BCMS Specimen exam paper, February 2020. Amended for use on certified course XXXX 
operated by ATP xxxx 


Page 3 of 13 


ICQI &@ IRCA 


LEADING QUALITY FOR 100 YEARS 


Section two — four questions worth five marks each — maximum 20 marks 


2.1 


2:2 


a) Describe briefly a method you could use to evaluate top management commitment. 
(2 marks) 
Typical Solution 


e Interviews with ‘top management’ to determine: 

e Their involvement in establishing a business continuity policy. 

e Their experience in signing off plans and participating in exercises. 
e How they direct and support continual improvement 


e How they ensure BCMS objectives and plans are established. 


Note to marker: Alternative methods may be acceptable. 


b) Give three examples of objective evidence you would gather as part of your evaluation of top 
management commitment. 

(3 marks) 
Typical Solution 


e Examples of objective evidence include: 

e One or more persons appointed to be responsible for the BCMS. 

e The BC policy 

e Involvement in the management review process. 

e Evidence that BCMS requirements are integrated into the organisation’s business processes 
e Establishing roles, responsibilities and competencies for BCM 


Note to marker: Award 1 mark for each of the above, or other acceptable answers from ISO 22301, 
up to a maximum of 3 marks. 


List ten examples of documentation and records that an auditor would typically need to have 
sight of during a stage 1 initial BCMS audit. 

(5 marks) 
Typical Solution 


e Organisation chart, company introduction 
e BCMS scope statement 

e BC Policy statement 

e BC Objectives 

e Business Impact Analysis 


e Business Continuity Plans and Procedures 
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e BCMS Exercise and Test schedule/sample reports 
e BCMS Resource Plan 

e BCMS Training records 

e Risk Register/Assessment 

e Internal BCMS Audit schedule/sample reports 

e Legal and regulatory requirements 

e Supply chain strategy/list of critical suppliers 


Note to marker: Award 0.5 mark for each of the above, or other acceptable answers, to a 
maximum of 5 marks. 


Identify five likely competency requirements for a second or third party BCMS auditor to achieve. 
(5 marks) 
Typical Solution 


e Recognised Auditor/Lead Auditor qualification 

e Professional Business Continuity Management qualification 

e Understanding Business Impact Analysis methodology and application 

e Appreciation and understanding of undertaking a risk assessment 

e BCM Exercise and Test methods and application 

e Indepth knowledge of ISO 22301 and supporting documentation 

e Experience of having worked in or a working knowledge of the type of organisation being 


audited 


Note to marker: Award 1 mark for each of the above, or other acceptable answers, to a maximum 
of 5 marks. 


List five main topics that must be included in the warning and communication procedure(s). 


(5 marks) 
Typical Solution 


e What, where, with whom and how communications are made to interested parties 
e Receiving, documenting and responding to communications from interested parties. 
e Ensuring the availability of the means of communication during a disruption 

e The facilitation of communication with emergency responders 

e Providing details of the organisation’s media response following an incident 


e Recording the details of the disruption. 


Note to marker: Award 1 mark for each of the above, or other acceptable answers to a maximum 
of 5 marks. 
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Section three — three questions worth ten marks each — maximum 30 marks 


Marks should be given for alternative answers that are logically presented and comply with the requirements 
of ISO 22301. 


3.1 a) In your own words, state your understanding of the term Business Impact Analysis 
(2 marks) 
And 
Explain why business continuity management relies heavily on this process. 


(3 marks) 
Typical Solutions 


Business impact analysis (BIA) is the process of analysing operational functions and the effect that 
a disruption might have upon them. It will take into account the context of the organisation, the 
needs and expectations of its interested parties, legal and regulatory requirements and establish 
time driven priorities for resuming key activities to a specified minimum level. 


Note to marker: Award 2 marks for an appropriate answer as above. 


The organisation relies heavily upon the output of the BIA as this is the tool which identifies the 
priorities to the business in terms of resumption of activities following a disruption. If this is 
incorrect it is possible that critical business areas may be overlooked or not given the focus 
required to ensure that business and contractual requirements are maintained during and after 
an incident. The BIA process will also identify the dependencies and supporting resources for 
these prioritised activities and will ensure that through effective planning, sufficient resources 
will be available during an incident to maintain pre-determined activity levels. By understanding 
the BCM capabilities of key suppliers, the organisation will have appropriate levels of information 
to determine whether existing arrangements meet the needs of the organisation of whether 
additional and/or alternate suppliers may be required. Accurate analysis will support the 


development of the most appropriate business continuity strategies for the organisation. 


Note to marker: Award 3 marks for an appropriate answer as above. 
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b) Outline factors that will affect the method by which a BIA is carried out 


(2 marks) 
And 


State the different methods of conducting a business impact analysis and who might be involved 
in the process 

(3 marks) 
Typical Solution 


The method by which a BIA is conducted will depend on a number of factors, predominantly 
around the size and complexity of the organisation and the resources made available to complete 
the exercise. Industry sector may determine the method, based on the type of activities carried 
out as well as the cultural approach to such exercises by the organisation. 


Note to marker: Award 2 marks for an appropriate answer as above. 


Method will typically include; workshops, questionnaires, interviews or management review (or 
a combination of these.) 


Depending on the size and complexity of the organisation it is usually beneficial to involve one or 
more teams who together represent the core activities of the business and whose roles ensure a 
solid understanding of the activities and customer expectations. Where workshops are 
undertaken these might include group brainstorming sessions around activities undertaken 
whereas interviews may be more targeted to the individual being questioned. Questionnaires are 
likely to be used in larger organisations where there are significant amounts of data to be 
gathered. The risk with questionnaires is that without personal intervention at the data gathering 
stage, the information collected may be inconsistent or inaccurate. All BIA information should be 
validated by the BCM team so that the results reflect the scope and objectives of the BCMS. 


Note to marker: Award 3 marks for an appropriate answer as above. 
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3.2 Identify the key elements to a Business Impact Analysis and Risk Assessment, and state why they 
are both important and complementary. 
(10 marks) 
Typical solution 
Business Impact Analysis — definition from ISO 22301 (para 3.5) 1 mark 
Risk — definition from ISO 22301 (para 3.30) 1 mark 
BIA driven by impact and time, prioritised activities and business continuity i k 
mar 
objectives and targets 
Risk assessment identifies treatments commensurate with BC objectives and risk 1 k 
mar 
appetite 
Risk is a wider subject than BCM and RA in BCM is not full risk management 1 mark 
BCM has less concern with probability, if it is possible then impact is key driver for 1 k 
mar 
strategy 
Risk assessment helps management define Risk Appetite and then this is a key input j k 
mar 
to BCM Strategy decisions 
BCM delivers solutions within the defined risk profile 1 mark 
BCM concentrates on prioritised activities 1 mark 
Risk assessment will consider and prioritise risk treatments and their related costs 1 mark 
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3.3 List two main topics that must be considered by the organisation in order to carry out changes to 
the BCMS in a planned manner. 


(2 marks each) 
and 


For each topic, outline the potential consequences of these topics not being considered. 


(3 marks each) 
Typical solution 


The organisation shall consider: 
a) the purpose of the changes and their potential consequences (2 marks) 
Consequences of non-consideration (3 marks) 
e Unnecessary changes may be carried out 
e Changes may adversely affect other areas 


e Some areas for change may be missed 


b) the integrity of the BCMS (2 marks) 
Consequences of non-consideration (3 marks) 
e Documentation may become not current 
e Processes may not function properly (together) 


e Communications break down 


c) the availability of resources (2 marks) 
Consequences of non-consideration (3 marks) 
e Additional resources may not be available 
e Current resources may not be suitable 


e Additional time may be required to install the resources 


d) the allocation or reallocation of responsibilities and authorities (2) marks 
Consequences of non-consideration (3 marks) 
e Teams may not be aware of their changed responsibilities 
e Training needs may not be identified 


e Tasks may not be actioned as required 


(10 marks) 
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Section four — three questions worth 10 marks each — maximum 30 marks 


Questions in this section are designed to test the learner’s ability to analyse audit situations, evaluate 
objective evidence and apply knowledge of the audit criteria correctly. 


Learners are required to either: 


e Complete the nonconformity report template. 


Marking scheme for a nonconformity: 


e For correctly identifying the scenario as a nonconformity (2 marks) 
e Fora clear description of the nonconformity (3 marks) 
e For correctly quoting relevant evidence (3 marks) 
e For correctly identifying the relevant ISO/IEC 22301 requirement (1 mark) 
e Overall clarity of the nonconformity report (1 mark) 


Note to marker: If learners raise anonconformity report when there is no nonconformity, O (zero) marks 
will be awarded. 


OR 


e Complete the audit investigation template, clearly stating: 


e Their reason(s) for thinking there is not yet sufficient evidence to report their findings as a 
nonconformity 


(2 marks) 

e How they would investigate to determine conformity or nonconformity, including audit trails they 
would follow and specific examples of objective evidence they would seek and for what purpose. 

(8 marks) 


Note to marker: If learners complete the audit investigation template for a situation where there is 
evidence that a nonconformity exists, a maximum of 7 marks may be awarded as follows: 


e Providing a valid reason why there is insufficient evidence for a nonconformity 


(2 marks) 
e Providing relevant audit trails as above. 


(5 marks) 


Note to marker: Marks should only be awarded where the audit investigation trails are relevant to the 


situation and would provide further evidence of conformance or non-conformance. 
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4.1 — Audit situation one: 


You are conducting an initial audit and ask the Business Continuity Manager to show you the most recent 
management review meeting minutes. He provides a set of slides and the minutes of the last Board 
Meeting, held two weeks ago. 


Upon review, you conclude that the slides covered the following topics; outstanding issues since last 
meeting, sales revenue, customer complaints and internal nonconformities, risk register review, 
forthcoming marketing event and a summary of the business continuity policy and objectives. The only 
reference to the BCMS in the meeting minutes is to confirm that the policy and objectives appear current 
and the achievement of the two objectives. 


A follow up meeting has been scheduled for next week as the main board director had to leave the 
meeting early and it was agreed that the meeting agenda would be completed at a later date. 


Solution — No nonconformity 


BCMS AUDIT INVESTIGATION 1 


For correctly identifying there is no nonconformity and further investigation is needed to determine how 
the organisation evaluates the management review process. 
(2 marks) 
Points of investigation and evidence sought: 
e Agenda — has one been produced for the BCMS management review or incorporated into the Board 
Meeting agenda? What remains to be covered at the follow up Board Meeting in terms of the BCMS? 
This may result in the raising of nonconformity if a full BCMS agenda is not evident. 9.3 


e Ifa BCMS agenda does exist what does it cover? Is it compliant with all the requirements of clause 9.3 


e Meeting frequency — how often has/will a review of the BCMS take place with the top management? 
9.3 


e Information — what information was provided to the Board prior to the review of the BCMS and is it 
sufficient for review and subsequent discussion? 9.3 


e Actions — establish what the protocols are for agreeing actions arising from the meeting and how 
responsibilities are assigned and followed up 9.3 


Note to marker: At least four audit trails required, deduct 1 mark from each trail where the (correct) ISO 
22301 clause is not stated. Other relevant points of investigation along with stated evidence and ISO clause 
may be accepted. 
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4.2 — Audit situation two: 


During an audit of the BCMS, you ascertain there is a BCM maintenance schedule requiring at least annual 
reviews of the Business Impact Analysis (BIA). 


The organisation conducted the last review three months ago and as part of your agenda, you undertake 
an independent review of the BIA and recent review. During your review you learn from the Business 
Continuity Manager that six months ago the organisation took and implemented the decision to 
outsource its critical IT Help Desk to a third party. 


A review of the BIA indicates that all departments carried out a review of their respective activities 
including the IT Department and reference to previous internal IT support activities remain within the 
BIA. 


Solution — Nonconformity 


BCMS AUDIT — NONCONFORMITY REPORT 2 


Nonconformity (2 marks for identifying the scenario as a nonconformity) 
Description of the nonconformity (3 marks for identifying the failure) 


The organisation has not carried out an adequate review of its BIA as the fact that a critical activity had 
been outsourced since the last review was not highlighted. 


This indicates that either the BIA reviewer for the IT Department is unaware of the need to identify such 
arrangements as part of the BIA process or that the BIA approval process is not sufficiently robust (or 
both). 


Evidence (3 marks for identifying the evidence) 


The BIA does not accurately reflect current dependency on an outsource provider or the terms of the new 
business arrangement in respect of recovery time objectives. 


ISO 22301:2019 clause and requirement: 


8.2.2 h determine the dependencies, including partners and suppliers, and interdependencies of 
prioritized activities. 


Note to marker: Award 1 mark for clause and requirement plus 1 mark for clarity of answer 
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4.3 — Audit situation three: 


You are conducting an initial audit of a corporate travel agency and establish that the risk assessment 
does not explicitly consider espionage or sabotage. You suspect that these may be considered as 
significant risks and should be addressed. A review of risk assessments is planned within the next 6 
months. 


Solution — No nonconformity 


BCMS AUDIT INVESTIGATION 3 


For correctly identifying there is no nonconformity and further investigation is needed to determine how 
the organisation manages the risk assessment process. 

(2 marks) 
Points of investigation and evidence sought: 


— Risk identification — establish how the risks of disruption are identified (8.2.3) 
— Treatment of risks — establish how it is determined which risks require treatment (8.2.3) 
— Risk evaluation — determine how the risks are analysed and evaluated (8.2.3) 
— Responsibilities — Investigate who is responsible for identifying new/changed risks (8.2.3) 
— Change control — Inquire as to how identified new risks are mitigated within the BCMS (6.3) 
Note to marker: At least four audit trails required (2 marks per trail to a max of 8 marks), deduct 1 mark 


from each trail where the (correct) ISO 22301 clause is not stated. Other relevant points of investigation 
along with stated evidence and ISO clause may be accepted. 


THIS IS THE END OF THE EXAMINATION PAPER 
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